idp certificate issue

Christopher Steinke christopher.steinke at
Fri Nov 7 19:52:01 EST 2014

​Dear Shibboleth Users and Developers,

I was wondering if anyone has seen this behaviour
​ or some suggestions on getting this to work.

I have an IDP server and have four  Apache web servers running the SP
software, three work fine and one does not work with the exact same
metadata file with the exact same certificate.

On the Apache SP that does not work I get the following message:

2014-11-07 16:21:04 DEBUG XMLTooling.SOAPTransport.CURL [1]: invoking
custom X.509 verify callback
2014-11-07 16:21:04 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]:
attempting to match credentials from peer with end-entity certificate
2014-11-07 16:21:04 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: no keys
within this peer's key information matched the given end-entity certificate
2014-11-07 16:21:04 DEBUG XMLTooling.TrustEngine.PKIX [1]: performing
certificate path validation...
2014-11-07 16:21:04 DEBUG XMLTooling.TrustEngine.PKIX [1]: failed to
validate certificate chain using supplied PKIX information
2014-11-07 16:21:04 ERROR XMLTooling.SOAPTransport.CURL [1]: supplied
TrustEngine failed to validate SSL/TLS server certificate
2014-11-07 16:21:04 ERROR XMLTooling.SOAPTransport.CURL [1]: Certificate:

<Cert Deleted>

2014-11-07 16:21:04 DEBUG XMLTooling.libcurl [1]: SSLv3, TLS alert, Server
hello (2):
2014-11-07 16:21:04 DEBUG XMLTooling.libcurl [1]: SSL certificate problem:
application verification failure
2014-11-07 16:21:04 DEBUG XMLTooling.libcurl [1]: Closing connection 0

The three Apache SP servers that work have the following configuration:

OS: Red Hat Enterprise Linux 6.5
Apache: httpd-2.2.15-31
Shibboleth SP: shibboleth-2.5.3-1.1

The Apache SP server that does not work:

OS: Red Hat Enterprise Linux 7.0
Apache: httpd-2.4.6-18
Shibboleth SP: shibboleth-2.5.3-2.1

IDP Server
OS: Red Hat Enterprise Linux 6.5
Shibboleth IDP: 2.4.0

So why is is that the IDP metadata with the same certificate works on one
config but not the other? And yes it's the same,
because I copied the same IDP metadata file from one working machine to the
machine that does not work.

I can supply additional information as needed.

Would this be an issue because the version of the IDP server is a bit old?
I see the latest release is: 2.4.3. (2014/11/03) and the version
is well over a year old.

Thanks for your help in advanced!

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list